[wodenokoto]

So apparently this is a thumbnail manager located at http://url-wiki.com/

That url gives me a blank page with the letters “wtf”

[spzb]

It looks like the site had some hideously insecure file upload function which someone's taken advantage of to nuke the site.

If I go to the archived version [0] of the site and click the + button I end up at [1]

[0] https://web.archive.org/web/20210329151816/http://url-wiki.c...

[1] https://web.archive.org/web/20210329151816mp_/http://url-wik...

Edit: on closer inspection you can overwrite the whole index page just by passing in URL-encoded HTML in one of the form fields.

Edit 2: It's even worse than I thought. Arbitrary file upload. Flagging this post for its own good.

[mTano]

Thank you very much for pointing out. I didn't realize there was a security hole. I would like to study a little more about the input form. For the top page, JavaScript has been completely removed.

[spzb]

You need to remove the vulnerable PHP script too

[mTano]

I would like to improve the security hole for PHP scripts as well. Thank you for giving us a very detailed point.

[mTano]

Thank you very much for your comment. The top page has been modified to "wtf" characters for malicious users. Now that all the input forms and JavaScript have been removed, you can browse correctly.